IETF Logo Mail Archive

Re: [Sidrops] Multiple publication points in certificate

Geoff Huston <gih@apnic.net> Thu, 28 July 2022 12:20 UTC

Return-Path: <gih@apnic.net>
X-Original-To: sidrops@ietfa.amsl.com
Delivered-To: sidrops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A35FCC13CCC0 for <sidrops@ietfa.amsl.com>; Thu, 28 Jul 2022 05:20:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.007
X-Spam-Level:
X-Spam-Status: No, score=-2.007 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, URI_HEX=0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=apnic.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1pOXjVBs_0j6 for <sidrops@ietfa.amsl.com>; Thu, 28 Jul 2022 05:20:15 -0700 (PDT)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01on2055.outbound.protection.outlook.com [40.107.108.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A69FAC157B41 for <sidrops@ietf.org>; Thu, 28 Jul 2022 05:20:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dzSr0sD6vEHTuzM/QtPgHOMJTz2DleqxaKEYfpuHFxt1No+/fLxE7spV9mEUaTpltiQeOiHypZKewSBNvJvj59ywFnDu2F7eCyQWybIP/aGsLaASZPxOgdzwSgqXyKVsOwsJOly3GtKW6IYTuVK7LeFn5czLaO9MwD0M3+EaGyabtKjBGOqfWMzyQcOTzoo4sXM92BJOI/RA/7apUBz019wAUf3CMMtAdUytmn3b2nBqiWkpqeRPEDsCLskNt1p/HZSiSy7FOxpWd6B+JukKDjvI7KJHdh/FYjv78OHS52S7H3qZdzSdcivf59Q07Uz7wSYXqAxUHIxCGKksF36BVw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=p5aFmn1gXqAEdHUlK4BJ1u2I3qzZOP6duqndkmC67lA=; b=Trra6FrJYUYc7/5X8JnZGFRFkyeHG3r7wGxciSbHOtucc7TBVK9iU3lH1+HgxYjQHe99zfhJO+CMISW1xYNx57mF9g0kC5gTVFepDoVSfOkKm2ImWwSOszbavc3wV4dVMdTu/BOVusemyKh7Lb0o54MNjPyxKfXzU3dFq4cRZX5032Mgt5o9Ala1Itli7gWnNfQxpW07n1embG6x+3VGJUBFlpA3O8iHOYPBGU4yT7teI0S9SSr++oE59MErR9vg15MEv7Y2hFXgF6D/vDQl4qtxcN3dht/oQUhUj065oWHqvvG4XZ1cIKHeTWOckl/WVouQd1rRks9IFncTO2VZpw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=apnic.net; dmarc=pass action=none header.from=apnic.net; dkim=pass header.d=apnic.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=p5aFmn1gXqAEdHUlK4BJ1u2I3qzZOP6duqndkmC67lA=; b=BwoaT/g8+Dot3Z103l4KI50nDUZLf+xFszlYj9fZUUFRaI+KwbDzfrieoRxsbgkOvTqO37vEFtl+UIhY314YPmmsHYDom2eNYmYXj4dO6KRaf3u5yEHWnR3/TQRDGUw+hRMHDvgn5hoUNVr1HGyRVsiwVJtbEJFNq6Ysij0cKsA=
Received: from SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:176::18) by SYBP282MB0635.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:67::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5458.19; Thu, 28 Jul 2022 12:20:09 +0000
Received: from SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM ([fe80::b981:3279:7f65:f5cc]) by SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM ([fe80::b981:3279:7f65:f5cc%7]) with mapi id 15.20.5458.025; Thu, 28 Jul 2022 12:20:09 +0000
From: Geoff Huston <gih@apnic.net>
To: "Hove, K.W. van (Koen, Student M-CS)" <k.w.vanhove@student.utwente.nl>
CC: Job Snijders <job@fastly.com>, "sidrops@ietf.org" <sidrops@ietf.org>
Thread-Topic: [Sidrops] Multiple publication points in certificate
Thread-Index: Adih9WDWFWwzPvVhRAamZrtgdqJwBgABS2KAABzkhoMAA4/rAA==
Date: Thu, 28 Jul 2022 12:20:09 +0000
Message-ID: <51D3C8D2-1364-4975-A7EC-A01B6C5A71D9@apnic.net>
References: <DB9P195MB1420D2ABBBC3111449F141BB8C979@DB9P195MB1420.EURP195.PROD.OUTLOOK.COM> <YuGlK4hrITxZx+4v@snel> <DB9P195MB14209DD920FA448F9738E3CB8C969@DB9P195MB1420.EURP195.PROD.OUTLOOK.COM>
In-Reply-To: <DB9P195MB14209DD920FA448F9738E3CB8C969@DB9P195MB1420.EURP195.PROD.OUTLOOK.COM>
Accept-Language: en-AU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3696.120.41.1.1)
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=apnic.net;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d3965efd-76ab-4ca9-8e45-08da70938341
x-ms-traffictypediagnostic: SYBP282MB0635:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: n5wFbl350xAa8CFUPsvnowgLlkXex9q+OERSOaL42rgOP4xCLLAH9PYEajgH5d1VaJbUHRw6zXLae4lTY1BS4jMCeYEX9lbpZTSbBSi08qn4x3GA7dMJb8Xob/7rPXUALTgeb9AQQFmDoyAWro1+TdgfMCUMwNdP7TfnL7ggHt3Mp+CfwpPHemPz2QJTRq9AsQMUaYeMy9UhwGSouvPnt1xSxzWuQejG5OTsFKkUrjvsRVEozoWQzenPpJjVdaNSSWO0f7Q4nUUQKJ4EFBmA5R5Kagnxc2fDcLCZSw2laG0/LIyKC9n14XoO7yAg6MGqCxF0YW5lhUcMc1ZZzqrFotKPBzyTMS0g+i1WIunL0F1Q/5LWyXdOCG/4kxm9/sdLhqKMDmlnonJMsZ51cerAYqa0LcnQCScEYOw6UGXN46508MUYLLmJDvZrRMLRHgF72+CYpWurzlyDttFidfq4Cwp6cmjsax0u86PtgMUZEn7jOAgolwsp3hkE+Iwn9L72tJNB6XXKH3S128CJ9JBtfkmM6LYeV1z0NYEVl2ROIRZ1QV8N2MEt5AzaGOcrek9g6PeTDnyLRFJkFxgO4YeKwUe6EPUuEb29I4Ig727neCcUD9EvISGWwspP41dbcK+1xyBA8SE3al741Kadbpeb3+d6Y5coUesam56wIssyFPWQIGlVy0GXUGY+WvedkhE1oNnKMLtTc2vhIiYHL+3XV89cK/l4LAshNYc2h+8rPsDJ6BpYDsCEN52oPWS+qyXFkzcl92G8JDwwIaWgKP4NYLVrqcxgW06uffjUW460FbCD3LLKyB5XEEUPy3kFegPmpXbLUi9+2XzLIRCb2SwdR0pcaCXDGssHinmAY0d0pVI=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(4636009)(346002)(376002)(396003)(39850400004)(136003)(366004)(64756008)(8676002)(66946007)(91956017)(2906002)(66476007)(478600001)(6506007)(8936002)(66446008)(66556008)(71200400001)(76116006)(33656002)(38070700005)(4326008)(6486002)(5660300002)(6512007)(86362001)(6862004)(2616005)(83380400001)(316002)(41300700001)(122000001)(38100700002)(19627235002)(36756003)(966005)(53546011)(54906003)(186003)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: oCRN8utn9x5SREP1O74KnusrMRA6w5xKqw/QERAg3Y0X99YfUaRIlIK6WkEtuOKNBvK9ybRstQm7nDcj7dab3Nkh2FaLjBsM9O/3vtSc6EPhyhBK4MpCruJaeYH4agXaky9EEzxXhdGvS0nTj/WvSrivssGzEUDmIaeUQI0TLEYvuUNZgxVsYP83X2ryayVSCvsEcTGyu0h8tWpO4IA3GAcS7zljMc3D4p4nbOBnyuyMM73a7hLJ1XRUwafj+fTBs0hyDcTah19V72UkBNTqwE2XrZPIXPFvsELmFfXeRyCF7U2sW39uFTuY4ftjv2VeGe4lIvb/nY9kRSIoJjN27ggFmFbg5lR/yxqAulwMDce3kR7SD/gvSg0F5WCpRJ1gHMn9NOehQmyLtKrMD9lmi+9rZ+llZ89zGUYLSYOZf9kLnDIuCBGUmfzVu/rvK0mhmMlibKNJX524X4GxTHq91h0EXR0J3A/ePJxY1wj2W3MOifFx2RdFq8/xZNWUJ/FYRrnIrDAvccqY82P4CfnfnVE60Wwq2X5p6mYMy43+8hAS8ugUJG9/wAwCNexxTkkNKpUao0lncNfSXZnfDTge/WsB5yBHfUHg2o82QhEmcyy53PkSn7LF5aMm6nypk/dYVpKH2BntvLuS6Nb7aYz6GxY5CfQJX4yQxAT47BEmYbNh1AYeZwDLIDpix7EoEpWjxSW6UKm+sIej6wJjZ57AAFUGhYSTIq2Wd8wBHeiY/m18xZuqTzd5pMBPn7omAs4A90NyR3KPE1csB+Giv7MX8eOJYH63m44rzMqIbw2zfs2DCIvUF5ox/N+1znn32sE84ygaDP6UHtXg1n9bDf40eQ5v79qZ9xltxbJJofuNBOW8gFdn5XLZcnU+U4w309QNS3S6S2DiEv35E/vsZjH0q21ZY/qgaju+2uMKa328c5P/glnPIDZ9gL2cA8zKyGyFYMaI9/EwHsBDkfV+MMvjLn0RhFPAym/XafTScQ2Jh+7iehG+eYjYPz/5ySzvecdg3jYNwv9a23BCIMIhXUIIVgbTUaweQPqshVG9kb6Zy+aI/9ceJvAg7ilyrDLApJHTBS7LVlrYnVCXawfUkh3/4Gx1Au422bI9SWUuWP7KG2SvD+13O2BOPqtTgFOVceHksOiIwNdMALYDAKANne3k8khwE/lDlaRPrCcCK1PTy69LPJjyEVxKz5y+D9oBSRoAioroqQ+3DWv0wucd0B1IwrSp8WI2tNZqRCXgeWtGo41lCqr4b+ctC6tllo0IfQUOchc3g/BF5WZXp5olWAaF/XUnxyqSHZoDqcbk278X3YxLPpUVR9sQO5Ozz3eSnC1ESuxsqQsd/2iH7d2TlFBepfN9PsGOW7wYPoX36dXJqir/IofEw9N2RBl9tXV+DihhE/mF81p1IE4iSxY7F64AstdAvzZe4M2tEV7qmmG8jsfHrXXPfILt7d+VtncYkDZTW32e40lzMBd0P6tpu9k3kgrnotKiIrMKZhwWOc1LHf5vfzl6sbzRYzPL+qPWuSWqX12Z42p3qaxPdPL9zFD1y4D/w7U8a008+Wp8l0usWO34+bxQbOqeT6hbS4Ozi8kWRhwj22Cphh03EHiHvDTB/a2mAFOkEzqONqmyFQpFYkBz2HqQVT6L9iYo76YqxME3
Content-Type: text/plain; charset="utf-8"
Content-ID: <A972DC8889967C42955E45790578B3E6@AUSP282.PROD.OUTLOOK.COM>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: apnic.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: d3965efd-76ab-4ca9-8e45-08da70938341
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jul 2022 12:20:09.0337 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 127d8d0d-7ccf-473d-ab09-6e44ad752ded
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Z25vh0IZC8thtG580OGv46PHS4hYNpRbR+B2iDToQKbPgMpvSxDgQsprjXFvb7NW
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYBP282MB0635
Archived-At: <https://mailarchive.ietf.org/arch/msg/sidrops/WMv4A1ieG_MvoEjFhV5xoS-PA7g>
Subject: Re: [Sidrops] Multiple publication points in certificate
X-BeenThere: sidrops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: A list for the SIDR Operations WG <sidrops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sidrops>, <mailto:sidrops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sidrops/>
List-Post: <mailto:sidrops@ietf.org>
List-Help: <mailto:sidrops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sidrops>, <mailto:sidrops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2022 12:20:19 -0000

RFC6487: SIA (sec 4.8.8.1)

   Other accessDescription elements with
   an accessMethod of id-ad-caRepository MAY be present.  In such cases,
   the accessLocation values describe alternate supported URI access
   mechanisms for the same directory.  The ordering of URIs in this
   accessDescription sequence reflect the CA's relative preferences for
   access methods to be used by RPs, with the first element of the
   sequence being the most preferred by the CA.





> So far it seems that:
> - Routinator only visits the first
> - OctoRPKI only visits the second
> - rpki-client outputs "RFC 6487 section 4.8: SIA: rpkiNotify already specified" and visits neither
> - FORT outputs "Extension 'SIA' has multiple 'rpkiNotify' HTTPS URIs." and visits neither


Seems that the relevant standard specifies that a relying party should work with the entire list of URIs 
listed in the certificate’s SIA field and  work through them until success or until all locally supported
URI access methods have been tried. The CA provides the CA-preferred order to test the URI list, but the
Relying Party can apply its own  preference to the list of course.


regards,

   Geoff



> On 28 Jul 2022, at 7:36 am, Hove, K.W. van (Koen, Student M-CS) <k.w.vanhove@student.utwente.nl> wrote:
> 
> Hi Job, all,
> 
> I did indeed see that draft from sidr. If it is possible, then it might make the repository migrations as touched upon by Tim yesterday far simpler (as you could go from "A" to "A and B" to "B").
> 
> I quickly created a certificate with two RRDP points. The TAL for it can be found here: https://p-91dd2bba-7290-4399-baa4-4114f4b25e33.rpki.koenvh.nl/koenvh-P.tal 
> 
> Certificate:
>    Data:
>        Version: 3 (0x2)
>        Serial Number:
>            79:6a:49:49:3d:05:6d:17:2a:ba:b5:79:65:d8:46:82:16:52:77:ef
>    Signature Algorithm: sha256WithRSAEncryption
>        Issuer: CN=226f435fd04b482d853462ad40735c05bd34b8f2
>        Validity
>            Not Before: Jul 28 09:25:51 2022 GMT
>            Not After : May 16 09:25:51 2032 GMT
>        Subject: CN=226f435fd04b482d853462ad40735c05bd34b8f2
>        Subject Public Key Info:
>            Public Key Algorithm: rsaEncryption
>                Public-Key: (2048 bit)
>                Modulus:
>                    00:d3:0f:ca:b4:9c:2b:0b:c2:3b:22:6f:1e:bb:52:
>                    08:06:72:6b:1f:29:99:83:38:6d:af:fd:2e:ad:de:
>                    e4:7f:ab:fd:8c:92:4e:4d:4d:b3:b3:5f:83:49:3a:
>                    f1:83:d8:48:0f:5a:45:91:5a:e2:b2:ba:5e:bc:a9:
>                    a2:6d:7d:af:85:94:81:6e:59:c1:0f:17:8e:ad:ff:
>                    40:35:74:ac:72:75:a2:72:dc:99:ae:1f:d2:89:56:
>                    86:aa:55:ef:22:1d:25:7b:e5:77:0a:a6:1a:de:55:
>                    39:10:57:f9:4f:53:21:ed:c3:01:39:6f:09:d0:7a:
>                    16:26:71:86:3d:0b:dd:99:25:73:63:d5:84:df:f5:
>                    30:15:b0:bd:60:bf:41:33:3f:3f:b1:82:04:ac:4b:
>                    cc:ac:56:c6:81:4a:db:40:a7:04:8c:1c:68:32:de:
>                    4d:e2:4a:ed:77:27:1c:24:b8:cf:4b:df:94:43:ce:
>                    6c:a9:8f:86:ff:d7:c3:e4:78:15:15:ee:f7:89:01:
>                    f2:04:eb:35:1b:a9:6d:19:c0:5a:d3:5f:d4:52:9f:
>                    cc:9f:e0:57:bf:a1:a2:8f:e0:e4:e8:64:8e:bb:d1:
>                    f9:0b:62:a5:8c:90:62:c5:6c:7e:52:34:b1:81:1a:
>                    b7:35:ca:49:86:9d:19:90:25:62:29:aa:a8:e6:af:
>                    84:5f
>                Exponent: 65537 (0x10001)
>        X509v3 extensions:
>            X509v3 Subject Key Identifier: 
>                22:A0:53:E0:41:42:C7:B8:F0:CA:A4:51:F5:94:38:EF:EE:E0:1D:09
>            X509v3 Authority Key Identifier: 
>                keyid:22:A0:53:E0:41:42:C7:B8:F0:CA:A4:51:F5:94:38:EF:EE:E0:1D:09
> 
>            X509v3 Basic Constraints: critical
>                CA:TRUE
>            X509v3 Key Usage: critical
>                Certificate Sign, CRL Sign
>            Subject Information Access: 
>                1.3.6.1.5.5.7.48.10 - URI:rsync://p-91dd2bba-7290-4399-baa4-4114f4b25e33.rpki.koenvh.nl/repository/koenvh.mft
>                1.3.6.1.5.5.7.48.13 - URI:https://p-91dd2bba-7290-4399-baa4-4114f4b25e33.rpki.koenvh.nl/notification.xml
>                1.3.6.1.5.5.7.48.13 - URI:https://p-91dd2bba-7290-4399-baa4-4114f4b25e33.rpki.koenvh.nl/notification2.xml
>                CA Repository - URI:rsync://p-91dd2bba-7290-4399-baa4-4114f4b25e33.rpki.koenvh.nl/repository/
> 
>            X509v3 Certificate Policies: critical
>                Policy: 1.3.6.1.5.5.7.14.2
> 
>            sbgp-ipAddrBlock: critical
>                0.0.....0....0.....0....
>            sbgp-autonomousSysNum: critical
>                0...0.0
> ..........
>    Signature Algorithm: sha256WithRSAEncryption
>         6f:36:7d:e7:81:68:46:b4:1c:af:b6:13:8e:ff:30:2f:a1:c9:
>         aa:a8:98:60:a9:68:0c:21:64:c4:90:48:f9:e3:c6:89:c9:f0:
>         da:0f:82:af:3f:c6:75:d0:82:43:b1:1f:2d:47:10:57:c0:77:
>         4b:6f:70:ba:b9:9d:c4:e2:1d:0c:4e:9a:2c:88:6a:39:83:c2:
>         c0:48:73:fa:f1:2c:c6:87:0c:cb:14:37:d9:71:2b:7b:1e:d5:
>         5b:89:ea:9d:aa:ce:9c:8d:bd:7a:fa:41:51:d2:eb:ed:83:2a:
>         18:14:9c:bf:be:a6:2e:86:b5:4f:9a:11:4a:9e:da:b9:97:f2:
>         1e:90:43:d4:2d:9f:21:fe:a0:16:b3:e0:3a:a3:41:a6:c1:cf:
>         4d:6d:35:f2:d5:00:de:05:ee:68:bf:69:36:b4:1f:e2:69:27:
>         ba:da:34:a7:52:48:7e:ff:68:7f:20:c5:e4:32:da:24:fb:01:
>         cb:93:a9:dd:6c:d1:a1:dd:08:11:f3:17:01:82:ff:95:cf:89:
>         bb:ee:60:39:b6:fc:0a:c9:df:c1:c9:c2:52:ef:ad:03:39:9c:
>         8d:12:6b:42:ef:6e:01:5e:01:32:18:41:91:b6:3b:e2:ec:dd:
>         fa:84:9e:a4:0e:54:56:35:fa:cc:e5:3f:24:dc:bd:33:25:ef:
>         53:bd:e8:df
> 
> So far it seems that:
> - Routinator only visits the first
> - OctoRPKI only visits the second
> - rpki-client outputs "RFC 6487 section 4.8: SIA: rpkiNotify already specified" and visits neither
> - FORT outputs "Extension 'SIA' has multiple 'rpkiNotify' HTTPS URIs." and visits neither
> 
> So current behaviour seems to be quite diverging. 
> 
> Cordially,
> Koen van Hove
> 
> From: Job Snijders <job@fastly.com>
> Date: Wednesday, 27 July 2022 at 22:51
> To: Hove, K.W. van (Koen, Student M-CS) <k.w.vanhove@student.utwente.nl>
> Cc: sidrops@ietf.org <sidrops@ietf.org>
> Subject: Re: [Sidrops] Multiple publication points in certificate
> Hi Koen,
> 
> On Wed, Jul 27, 2022 at 08:17:03PM +0000, Hove, K.W. van (Koen, Student M-CS) wrote:
>> Recently I investigated strategies to make ROAs more resilient to
>> outages by publishing them at multiple publication points. During the
>> discussion, I noticed that the SIA AccessDescription extension on
>> certificates, specifically the id-ad-rpkiNotify accessMethod
>> referenced in RFC 8182 section 3.2, does not mention that there can
>> only be one. As far as I can see, there is no restriction in the
>> standard that there must be at most one for each type. In theory
>> multiple RRDP URIs (or rsync URIs for that matter) should be possible.
>> Is this correct, or did I overlook something? And if so, what is the
>> expected behaviour when multiple are defined? 
> 
> There is some prior work that might be of interest to you:
> 
>    https://datatracker.ietf.org/doc/html/draft-ietf-sidr-multiple-publication-points
> 
> Specifically section 4, which notes:
> 
>    "The support for multiple operators in the RPKI Certificate
>    Authority (CA) and End Entity (EE) certificates is supported as the
>    RFC 5082 allows multiple repository publication point operators as
>    the SIA, AIA and CRLDP are implemented as sequences. Consequently,
>    no changes are needed on the existing RPKI standard and this section
>    could be considered informative."
> 
> I am not sure what the expected behavior would be when multiple are
> specified in the Subject Information Access extension.
> 
> I believe rpki-client (at the moment of writing) only uses a single
> id-ad-rpkiNotify access description entry (if encountered) and will
> ignore additional entries (if multiple exist).
> 
> Reviving draft-ietf-sidr-multiple-publication-points (or starting from
> scratch in a new document); outlining what the desired strategy is, is
> a possibility. I suspect an argument can be made that if multiple
> id-ad-rpkiNotify are specified, an RP has to contact *all* publication
> points, to increase its chances of finding the Manifest with the highest
> ManifestNumber (I imagine multiple pubpoints existing, increases the
> chances of them those being out-of-sync with each other.
> 
> I look forward to your findings.
> 
> Kind regards,
> 
> Job
> 
> _______________________________________________
> Sidrops mailing list
> Sidrops@ietf.org
> https://www.ietf.org/mailman/listinfo/sidrops

v2.23.0 | Report a Bug | By Email